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Amendments to the Specification: 

Please amend the Specification as follows: 

Please replace the Specification with the replacement Specification shown in 
clean form attached hereto having the underlined additions and stricken deletions as shown in the 
attached Marked-Up Version of the Specification. 
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POWER PLANT AND METHOD THEREOF 

AUG 2 0 2003 

technical field Technology Center 2100 

The invention relates generally to a protection system for nuclear power 
5 plant and method thereof. More particularly, the present invention relates to an improved 
digital-based reactor protection system and an engineered safety features actuation system. 

BACKGROUND OF THE INVENTION 
A nuclear power plant is a system to which safety is very important in view 
of its characteristics. One of important system that must be played for the safety of the 

10 nuclear power plant is a reactor protection system. An Instrument and Control (l&C) 

system including the reactor protection system is a system that serves as brains of humans 
in a nuclear power plant, which significantly affects its operation as well as safety of the 
entire nuclear power plant. Therefore, improvement in the performance of the I&C system 
such as the nuclear protection system and safety of reliability of a high level will provide 

15 significant effects to economic benefits and improved safety in the nuclear power plant. 

Most of a reactor protection system in a pressurized light-water nuclear 
power plant, now widely used in the domestic, is based on an analog circuit, which is 
composed of a process measuring system consisting of a lot of analog circuit substrates and 
a solid state protection system (SSPS) made of hardware for performing LCL. 

20 The reactor protection system has several problems, which will be explained 

as follows. 

First, as it is based on an analog circuit, there is a problem in a circuit itself 
such as drift and worn-out components. 

Second, it requires a periodic check for maintenance. As this check nearly 
25 entirely depends on manpower, however, there is a problem that a significant amount of 
cost and time is wasted. 
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Third, there is a problem (hat the reactor is unnecessarily stopped during the 

check. 

Meanwhile, now only the reactor protection system itself is a system 
consisted of high value-added nuclear power plant safety-class equipments but also most of 
5 a rector for receiving signals and other constituent elements are a nuclear power plant 
safety-class equipments. As most of the nuclear power plant safety-class equipment 
requires technology of a high level, a lot of cost for development and purchase are required. 
In particular, an I&C system that depends on a foreign technology additionally bears an 
engineering cost of 3 to 4 times to the cost for manufacturing the equipment, there is a 

10 great economic burden. As a concrete example, the plant control system (PCS) included in 
Gori 2th SSPS costs about 1 8 millions dollars. If this nuclear power plant I&C system is 
localized, the engineering cost as well as the manufacturing cost could be significantly 
reduced. Also, considering that the level of technology in which the nuclear power plant 
I&C system requires is significantly high, it could be expected that the level of the I&C 

15 system related industries could be increased accordingly. In this view, it is very 

meaningful to localize the reactor protection system that is the core in the nuclear power 
plant I&C system. 

In order to overcome these problems, it is necessary to develop a software 
based digital nuclear power plant protection system. 

20 Meanwhile, examining a digital plant protection system (DPPS), which has 

been developed in order to solve the above-mentioned problems, there has been proposed a 
passive test method in which an alert is issued by an interface & test processor if any 
problem occurred while continuously monitoring the bistable processor and a LCL 
processor, and an active test method by which a specific channel is bypassed and a test 

25 signal is applied to compare an output signal and a feedback signal. 

In the passive test method being an online test, the state of the system is 
continuously monitored. However, the active test method bypasses and then periodically 
performs a test, which could not continuously monitor the state of the system. 
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As a result, as the system test in the conventional digital plant protection 
system monitors the state of respective channels and components, there is an advantage that 
relatively detailed information about the malfunction of specific components may be 
obtained. However, as it accordingly requires the software of higher complexity and the 
5 system test itself is passive, though the system stability could be continuously monitored in 
a normal state of operation, there is a problem that the stability in the trip state of the 
reactor could not be secured. 

SUMMARY OF THE INVENTION 
The present invention is contrived to solve the above problems and an object 

10 of the present invention is to provide an improved digital software-based reactor protection 
system and an engineered safety features actuation system, which can be applied to present 
nuclear power plants. 

In order to accomplish the above objects, a digital online active test - plant 
protection system (DOAT-PPS) in a nuclear power plant according to the present invention 

15 is characterized in that it comprises a test generating computer (TGC) for generating a test 
input for self-diagnosis, said test input being inserted between actual safety parameters as a 
test parameter and a test signal position bit indicating a position information of the test 
input; a trip algorithm computer (TAC) for receiving the safety parameters through the 
TGC from a plurality of measuring channels which are physically and electrically isolated 

20 from each other and then comparing the safety parameters and a predetermined limit values 
by the safety parameters to determine a trip state of the safety parameters, if there is a test 
input by said TGC; a voting algorithm computer (VAC) for receiving trip signals from state 
of each of the safety parameters determined by said TAC in each of the channels, 
determining a final state of each of the safety parameters and then outputting the result; and 

25 a pattern recognition computer (PRC) for expecting a signal pattern to be input from the 

VAC by using the test signal position bit which is inputted through the VAC from the TGC. 
comparing the signal pattern on a one to one basis with the result determined by said VAC, 



3 




CLEAN VERSION OF THE SPECIFICATION 

and then if the signal pattern and the result are not consistent, determining to trip the 
reactor. 

Further, a digital online active test plant protection method in a nuclear 
power plant comprises a first step of generating, in a test generating computer (TGC), a test 
5 input for self-diagnosis, said test input being inserted between actual safety parameters as a 
test parameter and a test signal position bit indicating a position information of the test 
input; a second step of receiving, in a trip algorithm computer (TAC) ; the safety parameters 
through said TGC from a plurality of measuring channels which are physically and 
electrically isolated from each other and then comparing the safety parameters and a 

10 predetermined limit values by the safety parameters to determine a trip state of the safety 
parameters, if there is a test input in said first step; a third step of receiving, in a voting 
algorithm computer (VAC), trip state of each of the safety parameters determined by said 
second step in each of the channels, determining a final state of each of the safety 
parameters and then outputting the result; and a fourth step of expecting, in a pattern 

15 recognition computer (PRC), a signal pattern to be input from said VAC by using the test 
signal position bit which is input through the VAC from the TGC, comparing the signal 
pattern by one to one with the result determined by said third step, and then if the signal 
pattern and the result are not consistent, determining to trip the reactor. 

Further, in a recording medium readable by a computer and on which a 

20 program is recorded, the program executes a first step of generating, in a test generating 
computer (TGC), a test input for self-diagnosis, said test input being inserted between 
actual safety parameters as a test parameter and a test signal position bit indicating that said 
test input is currently generated at what position of the process parameters a position 
information of the test input; a second step of receiving, in a trip algorithm computer 

25 (TAC), plant operating safety parameters through said TGC from a plurality of measuring 
channels which are physically and electrically isolated each other and then comparing the 
safety parameters and a predetermined setpoints by the safety parameters to determine a 
trip state of the safety parameters, if there is a test input in said first step; a third step of 



4 




CLEAN VERSION OF THE SPECIFICATION 

receiving, in a voting algorithm computer (VAC), the trip state of each of the safety 
parameters determined by said second step in each of the channels, determining a final 
state of each of the safety parameters and then outputting the result; and a fourth step of 
expecting, in a pattern recognition computer (PRC), a signal pattern to be input from said 
5 VAC by using the test signal position bit which is input through the VAC from the TGC, 
comparing the signal pattern by one to one with the result determined by said third step, 
and then if the signal pattern and the result are not consistent, determining to trip the 
reactor. 

BRIEF DESCRIPTION OF THE DRAWINGS 
10 The aforementioned aspects and other features of the present invention will 

be explained in the following description, taken in conjunction with the accompanying 
drawings, wherein: 

Fig. 1 is a schematic view of a digital online active test - plant protection 
system (DOAT - PPS) at one channel according to one embodiment of the present 
15 invention; 

Fig. 2 is a diagram illustrating the difference between a conventional digital 
plant protection system (DPPS), a dynamic safety system (DSS) and the DOAT-PPS 
according to one embodiment of the present invention; and 

Fig. 3 is a functional schematic diagram of a prior art dynamic safety system 
20 (DSS) as used in comparison in Fig. 2. 

DETAILED DESCRIPTION OF THE INVENTION 
A digital online active test - plant protection system (hereinafter called 
"DOAT-PPS") according to one embodiment of the present invention will be described in 
detail with reference to accompanying drawings. 
25 Fig. 1 is a schematic view of the DOAT-PPS according to one embodiment 

of the present invention. First, the major components of the DOAT-PPS includes a test 
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generating computer (TGC) 1 10 for generating a test input, a trip algorithm computer 
(TAC) 1 20 for receiving a safety parameter and for comparing it with a trip setpoint, and to 
generate a trip state, a voting algorithm computer (VAC) 130 for receiving trip state 
determined by TAC in each of the channels to perform a logic, a pattern recognition 
5 computer (PRC) 140 for generating a rector trip signal, a manual test computer (MTC) 150 
for providing an input and output function by which an operator can monitor and control 
input/output signals from the TGC 1 10, the TAC 120, the VAC 130 and the PRC 140, and 
a remote control module (RCM) 160 installed at a main control panel, for displaying the 
operating state of the system and for performing various functions necessary to monitor the 
10 test and maintain the system. Each of the TGC 1 10, the TAC 120, the VAC 130, and the 
PRC 140 includes a processor module PM, a communications module CM, a digital input 
module DI and a digital output module DO. At least the TGC 1 10 also includes an analog 
input module AI. 

The DOAT-PPS according to one embodiment of the present invention is 
15 composed of four independent measuring channels like a conventional DSS (see e.g., Prior 
Art Fig. 3). 

The reactor trip signal is generated when more than two measuring channels 
among the four measuring channels, that are physically and electrically isolated, surpass a 
predetermined trip set value. At this time, the trip set value is a value predetermined for 

20 the safety parameters. If the trip set value is surpassed, it means the state of the reactor is 
unstable, which will be explained in detail hereinafter. 

In other words, the function of the reactor protection system is to minimize 
the possibility that radioactivity can be leaked to surrounding environments by tripping the 
reactor, when the nuclear power plant is entered into an abnormal state out of a normal 

25 operating state. The reactor protection system receives signals from the reactor and other 
components to generate a trip signal using trip logic when they get out of normal operation 
conditions. 
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The signals inputted into the four independent channels are inputted to the 
TAC 120 via the TGC 1 10. Here, the TGC 1 J 0 is an integral portion of a digital online 
active test according to the present invention, which generates a test input and a test signal 
position bit. 

5 At this time, the test input is a command to start the test. Also, the test 

signal position bit assists the function of the test input generated at the TGC 1 10 and also 
functions to inform that the test input is generated at what position of the safety parameters. 
In other words, the DOAT-PPS automatically continuously performs an active test and 
generates a test input to determine whether respective components are stable or not by 

10 replacing an actual input. Therefore, knowing where the test input is located is a very 
important factor and the test signal position bit functions to inform this position to entire 
components. Also, a diagnosis for each of the TAC 1 20, the VAC 1 30 and the PRC 140 
can be made in real time using the test signal position bit. 

The TAC 120 determines the trip state of each of the safety parameters and 

15 forwards the trip state to the VAC 130. That is, the trip state determined by the TAC 120 
in each channel enters the VACs 130 in the four channels as an input signal, and the VAC 
130 determines whether a final state of each of the safety parameters by means of an 
adequate voting logic (generally 2/4 logic). The voting logic is a desired or specified item 
that is selected at the time of constructing a nuclear power plant. 

20 Meanwhile, the PRC 140 expects a signal pattern to be inputted from the 

VAC and then compares it on a one to one basis with the final trip state determined by the 
VAC 130. As a result of the comparison, if they do not match, the PRC 140 determines 
that the reactor should be tripped and transmits it to respective initiation logics. 

Also, the MTC 150 provides an input and output function by which an 

25 operator can monitor and control input/output signals from the TGC 1 10, the TAC 120, the 
VAC 130 and the PRC 140. 
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In addition, the RCM 160, which is installed at a main control panel, 
displays the operating system of the system and performs various functions necessary for 
monitoring and maintenance of the system. 

Each of the components of will be below explained in more detail. 
5 First, the TGC J 10 is a core portion of a digital online active test according 

to the present invention and generates a test input and a test signal position bit, which 
initiates a test automatically. 

If the test is automatically initiated, the TGC J 10 receives safety parameters 
as an input signal from an environment neutron flux monitoring system (ENFMS), a 
10 remote shutdown panel and a core protection calculator system (CPCS) via an analog input 
module AI or a digital input module DL 

The TAC J 20 contains a trip algorithm and performs the two following 

functions. 

First, it determines whether the reactor has to be tripped or not using the trip 

15 algorithm. 

Second, it controls the TGC 1 10. The TGC 1 10 generates a test input 
making respective safety parameters into reactor trip states depending on the trip algorithm. 
The test input is inserted between actual safety parameters as a test parameter for testing. 
The initiation software of the TAC 120 compares the safety parameters and the 
20 predetermined setpoint by the safety parameters to determine a trip state using the trip 
algorithm. The trip state is transmitted to the VAC 130 via a programmable logic 
controller (PLC) digital output module. That is, the TAC 120 determines a trip state of all 
of the safety parameters by means of the trip logic and transmits the trip state to the VAC 
130. 

25 In the embodiment of the present invention, if the TAC 120 is implemented 

using PLC, it includes a central process module, a power supply module, an analog input 
module, a digital input module and a digital output module. 
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Meanwhile, the safety parameters, which are applied to the input terminal of 
the TAC J 20, are as follows. 

First, it is a variable over power trip. The change ratio of the neutron flux 
level is increased over a program setpoint or the neutron flux reaches a predetermined 
5 maximum value, the reactor is tripped. There is a difference of about 15% between the 
output and the trip setpoint. If the output of the reactor is increased, the trip setpoint is also 
decreased to maintain the range of 13.6%. If the output of the reactor is reduced, the trip' 
setpoint is maintained at 13.6%. As the maximum increased ratio of the trip setpoint is 
14.6%/min, however, if the output of the reactor is increased over the maximum, a trip of 
10 the reactor is occurred. The purpose of this trip function is to assist the engineered safety 
features actuation system in mitigating the result of an accident when a control rod is 
extracted. 

Second, it is a high logarithmic power level trip. The high logarithmic 
power level trip is initiated in order to trip the reactor when a predetermined neutron flux 

15 output reaches a predetermined maximum value. The purpose of this trip is to secure 

safety of a cloth and a reactor coolant pressure boundary when accidents such as dilution of 
boric acid or extraction of an uncontrollable control rod are occurred. 

Third, it is a high local power density trip. When a core maximum output 
density is locally over a specific value, the reactor is tripped. This is caused by generation 

20 of a trip signal in the core protection calculator. The input signal used in the trip signal is 
an output, the location of the control rod, the temperature, pressure and flow rate of the 
reactor coolant, etc. The purpose of this trip function is so that the local power density 
does not surpass the design limit value upon medium frequency and rare frequency 
accidents. The local output density is calculated in the core protection calculator using the 

25 output of a neutron flux and the distribution of a radial-directional output, the output of a 
radial-direction tip by the measurement of the location of respective rods, and the 
temperature of the reactor coolant and the output between the temperatures by 
measurement of the flow rate. The local power density trip parameters calculated by the 



9 




CLEAN VERSION OF THE SPECIFICATION 



core protection calculator (CPC) are ones that considered an error and a dynamic 
compensation. This ensures that the tip value of the core local power density does not 
surpass the limit value of the local power density safety limit value after the reactor is 
tripped when the core local power trip value is actually sufficiently lower than the nuclear 
5 fuel design limit value. The dynamic compensation considers the transfer delay of the core 
fuel center temperature (related to variations of the power density), delay time of the 
detector and time delay effect of the protection system. A method of calculating an error of 
the core protection calculator related to the tip local power density is same to the method 
used in Departure From Nucleate Boiling Ratio (DNBR) calculation, wherein the DNBR is 

10 a physical amount indicating that coolant within the reactor is boiled to generate bubbles. 

Fourth, it is a low Departure From Nucleate Boiling Ratio trip. If the NBR 
reaches a predetermined minimum value, the reactor will be tripped. That is, it assists the 
engineered safety features actuation system for mitigating the result when the reactor 
coolant pump is out of order or the steam generator is leaked. The NBR may be calculated 

15 in the core protection calculator using the neutron flux output and the axial-directional 
power distribution by the neutron detector in the reactor, the radial-direction tip output by 
measuring the locations of each of the control rods, the output between the temperatures by 
measuring the temperature and the flow rate of the reactor coolant, the pressure of the 
coolant system by measuring the pressure of the pressurizer, the flow rate of the coolant by 

20 the speed of the reactor coolant pump and the core inlet temperature by measuring the cold 
leg temperature. In this case, considering the delay of the detector and the processing time 
and inaccuracy, a trip is generated before the NBR surpasses the setpoint. Also, the 
calculation method uses a DNBR calculation method, which ensures that the reactor can be 
tripped in a state that the calculated DNBR is sufficiently higher than 1.30 so that it does 

25 not override the DNBR safety limit value even though the core DNBR value is reduced. 
The dynamic compensation indicates the transfer delay of the coolant, the thermal delay of 
the core (related to the core output variations), the time delay of the detector, the time delay 
of the protection system, etc. The error of the core protection calculator related to the 

10 
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DNBR calculation includes an input measurement error of the core protection calculator, a 
calculation equation modeling error and a computer process error. The DNBR calculation 
equation used in the core protection calculator is effective within the predetermined limit 
value. Therefore, if the core protection calculator is operated out of the limit value, it 
5 generates a DNBR/LPD trip signal. 

Fifth, it is a high pressurizer pressure trip. This trip is to secure a safety of 
the reactor coolant pressure boundary when the medium frequency and the rare frequency, 
which could be over-pressurized, have occurred. If the pressure of the pressurizer is over 
the set value, the reactor trip occurs and extraction of the control rod is prohibited. 

10 Sixth, it is a Jow pressurizer pressure trip. This trip assists the NBR trip, 

prevents accessing the setpoint ands assists the engineered safety features actuation system 
when an accident such as Joss of coolant accident (LOCA) occurs. When the plant is 
stopped or cooled, it allows the operator to manually decrease the setpoint. If the pressure 
is increased, the setpoint is increased with a given difference. 

] 5 Seventh, it is a low steam generator level trip. This trip prevents the reactor 

from becoming is pressurized due to the absence of a thermal removal source such as loss 
of a water supply. That is, when the water level of the steam generator is reduced, a 
protection action is taken to ensure a time sufficient to operate the assistant water supply 
pump for removing remaining heat. 

20 Eighth, it is a high steam generator level trip. This trip prevents moisture 

from a steam generator from entering the turbine, thus preventing damage to the equipment. 
That is, if the level of each of the steam generators surpasses the set value, a trip of the 
reactor occurs. 

Ninth, it is a low steam generator pressure trip. This trip assists the 
25 engineered safety features actuation system in order to prevent the reactor coolant from 
cooling when a steam tube is disrupted. 

Tenth, it is a low reactor coolant flow rate trip. This trip senses the pressure 
difference between the front and the rear stairs in the first side of the steam generator. 
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Thus, if this pressure difference falls by a significant ratio or under a predetermined 
minimum value, a trip of the reactor occurs. 

Eleventh, it is a high containment pressure trip. This trip sets the pressure of 
the container not to surpass the design pressure when accidents such as loss of a design 
5 standard coolant or damage of a main steam tube within the containment occur. That is, if 
the pressure within the containment reaches the sctpoint, a trip signal of the reactor occurs. 

Twelfth, it is a manual reactor trip. This trip provides a means for tripping 
the reactor in the main control room. Also, it is made possible in the reactor trip switching 
gear. 

10 The VAC 130 receives the trip state of respective safety parameters 

determined by the TAC 120 and a trip channel bypass signal related to it. At this time, it is 
operated depending on a confirm algorithm by which only one channel can be bypassed at 
a time. Here, the trip channel bypass means that when one of the four channels could not 
be operated by an accident, it functions to remove that channel. 

1 5 In the present embodiment, if signals from more than two channels of the 

four measuring channels indicate trip states, trip signals are outputted to corresponding 
safety parameters. If the trip channel bypass exists, more than two of the three trip signals 
that are not bypassed indicate trip states to make a trip signal. Also, it receives position 
information of the test input for self-diagnosis generated by the TGC 110 and then 

20 forwards it to the PRC 140. 

The RPC 140 receives the trip state of each of the safety parameters 
determined by the VAC 130 and the position information of the test trip signal input for 
self-diagnosis through the VAC from the TGC. The trip state generated in the safety 
parameters corresponding to the test trip position input means that the system is normal, 

25 and thus a reactor trip signal is not generated. When the-trip state of the safety parameters 
not corresponding to the test input is normally received, however, a reactor trip signal is 
generated. 
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Referring now to Fig. 2, the difference between the conventional digital 
plant protection system (DPPS), a dynamic safety system (DSS) and the DOAT-PPS 
according to one embodiment of the present invention will be explained in detail below. 

Though all of the three systems are similar since they are based on a 
5 software-based digital system, the two systems are different from the DOAT-PPS in 
several detailed points. 

First, examining a control scheme, all of the systems are a software based 
digital system. Examining major apparatuses, the DSS adopts a board controller scheme 
but the DPPS and the DOAT-PPS employ a PLL scheme. 
10 Also, all of the three systems perform functions based on the software and 

have the number of four measuring channels. In view of a test method, the DPPS must be 
directly initiated by an operator but the DSS and the DOAT-PPS are automatically initiated. 

Further, examining a system interface scheme, the DPPS uses an interface & 
test processor (ITP) scheme but the DSS does not have a specified scheme and the DOAT- 
15 PPS is performed in the MTC 

Also, in the test input generation algorithm, the DPPS adopts a predefined 
scenario algorithm, the DSS adopts a fixed test input algorithm and the DOAT-PPS adopts 
an intelligent test input generating algorithm and an input signal position bit algorithm. 

Also, examining the online diagnostic monitoring section, the DPPS and the 
20 DSS adopt a partial diagnostic monitoring scheme but the DOAT-PPS adopts a diagnosis 
monitor scheme for all the components. 

The present invention has been described with reference to a particular 
embodiment in connection with a particular application. Those having ordinary skill in the 
art and access to the teachings of the present invention will recognize additional 
25 modifications and applications within the scope thereof. 

It is therefore intended by the appended claims to cover any and all such 
applications, modifications, and embodiments within the scope of the present invention. 
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As mentioned above, the present invention has outstanding advantages that 
it can design an intelligent test system capable of monitoring the state of all the 
components as well as all types of errors. and it can improve the use and the maintenance. 
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